Projects

GDPR and the Cloud

Tue, 20 Jun 2017 05:05PM

Today I attended Scot-Cloud in Edinburgh, a free conference hosted by Digit, an independent business technology community in Scotland. Lots of conversation about GDPR, in fact it was mentioned in all of the talks and had two specific talks on it too. The first talk was by Martin Sloan of Brodies LLP Solicitors and second talk by Lilian Edwards, a Professor of Internet Law at the University of Strathclyde, which were both really interesting, despite perhaps what some people might call a dry subject matter!

The GDPR, General Data Protection Regulation, is an EU regulation intended to unify and strengthen data protection for all EU members. In the UK it will replace the Data Protection Act and will apply from the 25th May 2018. It’s a very large regulation - some 88 pages of dense text, and contains all sorts of enhancements to privacy and accountability.

Some key points I noted below from the two talks over and above what I already knew about it:

Regarding Brexit, the UK would still absolutely need to continue with GDPR if we were to store any EU data here. However, Lilian warned that like the breakdown of the Safe Harbour agreement (EU/USA personal data storage agreement), the UK could be deemed 'inadequate' even with GDPR because of our 'snoopers charter' Investigatory Powers Act. On the topic Edward Snowden tweeted, "The UK has just legalised the most extreme surveillance in the history of western democracy. It goes further than many autocracies."

The GDPR still maintains the idea of a data controller and a data processor. In cloud computing this area gets murky as to who is classified as what, especially where a SaaS may rely on a PaaS which may rely on a IaaS etc. In 2014 the Court of European Justice declared Google as a Data Controller, where previously they would have been seen only as a Data Processor.

In an almost too well-timed monthly procession, each of the major cloud providers announced their GDPR readiness:

In February, Microsoft Azure stated they are committed to GDPR compliance and provide GDPR related assurances in their contractual commitments

In March, IBM Cloud announced they were one of the 1st cloud providers to sign up to the EU Data Protection Code of Conduct for Cloud Service Providers

In April AWS declared themselves compliant with GDPR and have a Data Processing Agreement in place

And finally in May Google Cloud Platform stated they were committed to GDPR compliance and will make important updates to contractual commitments that directly address GDPR requirements (but haven’t done so yet - Google don't seem to be quite as ready as the others...)